Skip to content

Latest commit

 

History

History
81 lines (52 loc) · 4.35 KB

CVE-2023-39051.md

File metadata and controls

81 lines (52 loc) · 4.35 KB

The following is the URL of this product: https://liff.line.me/1660679085-jy2OO7WE

Unlike traditional apps that are downloaded directly from app markets like Google Play, this product requires access through some steps. Let's take CVE-2023-43297-'animal-art-lab' as an example:

1. open the url in the website, then you can see a QR code, which points to the product


2. open app 'Line' on the phone and scan the QR code


3. you can successfully download open the product


Vulnerability name: Exposure of secret in Track Diner 10/10mbl

Affected product: Track Diner 10/10mbl

Affected version: v13.6.1

Vulnerability type: Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)

Vulnerability name: Exposure of secret in Track Diner 1010mbl

1. Vulnerability description

The mini-app 'Track Diner 10/10mbl' on Line exposes the critical credential, the 'client secret', to the client-side, enabling remote attackers to obtain the secret. This client secret can then be utilized to acquire the channel access token, which is responsible for securing the communication channel within Line and can be exploited to broadcast malicious messages.

2. Attack Vectors

The exploit only requires that the client simply has Line installed and open the mini-app ‘Track Diner 1010mbl’ on Line. The response of the following request: https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry, contains the critical credential, the client secret. Then we verify the effectiveness of this secret using the tool supplied by Line.


Figure 1 Leakage of client secret

Figure 1 shows the response of request https://asia-northeast1-pibot-order-prod.cloudfunctions.net/userEntry leaks the client secret of Line which is strictly prohibited from being leaked. As shown in Figure 2, the client secret can be utilized to acquire the channel access token which is responsible for securing the communication channel within Line.


Figure 2 Exchange the channel access token with client secret

The official definition of channel access token is depicted in the following figure. It's obvious that keeping the channel access token secret is important. An attacker can utilize the channel to broadcast malicious messages if the channel access token is exposed.


Figure 3 The official description of channel access token
3.  Vulnerability affected

This vulnerability can have an impact on any mini-app ‘Track Diner 1010mbl’ user. Users will be at risk of getting malicious broadcast messages as a result of this vulnerability, such as website links, fraud information and so on.